From 9587d14803de9480c7870a6d034bc14cf5d18b52 Mon Sep 17 00:00:00 2001
From: Bernd Worsch <bernd.worsch@gmail.com>
Date: Sat, 21 Mar 2026 09:43:35 +0000
Subject: [PATCH] fix(privacyidea): override PRIVACYIDEA_CONFIGFILE to use
 mounted pi.cfg

gpappsoft image sets PRIVACYIDEA_CONFIGFILE=/privacyidea/etc/pi.cfg
internally, causing it to ignore our mounted configmap at
/etc/privacyidea/pi.cfg and fall back to SQLite.

Override the env var so the entrypoint reads our pi.cfg, which points
to PostgreSQL via PI_SQLALCHEMY_DATABASE_URI from the secret.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 sso-mfa/k8s/privacyidea/deployment.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/sso-mfa/k8s/privacyidea/deployment.yaml b/sso-mfa/k8s/privacyidea/deployment.yaml
index 6ff3ecd..a1505d4 100644
--- a/sso-mfa/k8s/privacyidea/deployment.yaml
+++ b/sso-mfa/k8s/privacyidea/deployment.yaml
@@ -64,7 +64,13 @@ spec:
               containerPort: 8080
               protocol: TCP
 
-          # ── Environment — sensitive values from Secret ──────────────────
+          # ── Environment ─────────────────────────────────────────────────
+          # Tell gpappsoft entrypoint to use our mounted pi.cfg instead of
+          # the image's built-in /privacyidea/etc/pi.cfg.
+          env:
+            - name: PRIVACYIDEA_CONFIGFILE
+              value: /etc/privacyidea/pi.cfg
+          # Sensitive values from Secret (PI_SECRET_KEY, PI_PEPPER, PI_SQLALCHEMY_DATABASE_URI)
           envFrom:
             - secretRef:
                 name: privacyidea-config